A new ransomware called CryptoRoger has been discovered today by MalwareBytes security researcher S!Ri. This ransomware will encrypt a victim's files using AES encryption and then appends the .crptrgr extension to encrypted filenames.  The malware dev then demands a ransom payment of .5 bitcoins, or ~$360 USD, in order to retrieve the decryption key. Unfortunately, at this time there is no known way to decrypt files encrypted by CryptoRoger.

CryptoRoger Ransom Note
CryptoRoger Ransom Note

How CryptoRoger Encrypts a Victim's Files

At this time, it is currently unknown how CryptoRoger is distributed. Once the ransomware is installed, it will scan a victim's drives for data files and encrypt them using AES-256 encryption and append the .crptrgr to the name of the encrypted file. For example, a file called test.jpg will be encrypted as test.jpg.crptrgr.  For each file that is encrypted, the ransomware will retrieve the MD5 hash of the original file and store it along with the filename in the %AppData%\files.txt file. 

When the ransomware is done encrypting your files it will open the ransom note called !Where_are_my_files!.html as shown above. This ransom note will contain instructions stating that the victim should install the uTox messaging program to contact the developer at the uTox address F12CCE864152DA1421CE717710EC61A8BE2EC74A712051447BAD56D1A473194BE7FF86942D3E.

The instructions further state that you need to send him the keys.dat file in order to decrypt your files. Based on the strings found in the executable, this keys.dat file is probably the AES key that was used to encrypt the victim's files. The key in this file, though, appears to be encrypted with a RSA public key stored in the malware executable. When the malware dev has access to the key.dat file, he can decrypt it using his master private RSA key and then send back the decrypted AES decryption key to paid victims.

Finally, this ransomware will create a .VBS file in the Windows Startup folder so that the ransomware is started every time a user logs into Windows. This allows the ransomware to encrypt any new files that may have been created since the last login.

For those who wish to discuss this ransomware or need support, you can use this forum topic: 

Files associated with the CryptoRoger Ransomware

%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Registry entries associated with the CryptoRoger Ransomware



Related Articles:

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment

Chinese Police Arrest Dev Behind UNNAMED1989 WeChat Ransomware

Moscow's New Cable Car System Infected with Ransomware the Day After it Opens